They say charity starts at home – so does Enterprise Risk Management (ERM). We can learn a lot from what we do well in our own lives and apply the same principles to our work lives.
Risk, according to the ISO 31000 standard, is the “effect of uncertainty on objectives”. “Objectives” are the starting point of ERM. You cannot do any meaningful risk management without starting with, and clearly articulating your objectives. This is the critical link between ERM and Strategy.
One of the objectives of most people in their personal lives, I hope, is: To live a long, healthy and fulfilling life.
The second step is to understand what critical processes need to work well in order to achieve our stated objectives. In our personal life example, these critical processes will consist mainly of our vital organs, our heart, liver, kidneys, brain and so on. In your business life, it is the critical processes on which your business depends – in other words, the critical parts of your operating model. Once we understand the critical functions/processes, we can then move to the third step of identifying the risks that could cause the functions/processes to fail.
In your personal life this will include such things as, heart attack, melanoma, lung disease and so on. In your work life it will be a suite of corporate risks including cyber attacks, internal and external fraud, third party failure and so on.
The next stage is to analyse our key risks in detail so we understand their root causes and how they link to the failure of the critical processes and, by default, our objectives. For example, a heart attack may be caused, among other things, from clogged arteries. Clogged arteries, may be caused by cholesterol which in turn could be caused by diet or be hereditary. Heart attack then leads to failure of the heart as a vital organ which leads to the failure of our long and healthy life objective.
Lastly, we identify our controls. For health risk, we may have diet, drugs, regular checkups, surgery etc. These controls can be classified into Preventive, Detective and Reactive, with Preventive operating proactively at the earliest point of the risk, Detective somewhere in the middle of the risk's life while Reactive controls operate at the end of risk's life focused on minimising impact.
Read the eBook: How to get more intimate with your controls and find out how you can build an optimal risk control framework.
An example bow tie for staff absenteeism is shown below:
Fig 1. Bow Tie analysis example
Source: Protecht.BowTie (available for iOS tablets on the App Store)
Once we have analysed our risks and related controls, we need to manage them i.e. the process of Enterprise Risk Management (ERM).
How healthy are you and how healthy is your business?
David Tattam is the Chief of Research, Knowledge and Consulting and co-founder of the Protecht Group. David’s vision is the redefine the way the world thinks about risk and to develop risk management to its rightful place as being a key driver of value creation in each of Protecht’s clients. David is the driving force in driving Protecht’s risk thinking to the frontiers of what is possible in risk management and to support the uplift of people risk capability through training and content.